Friday, January 20, 2006

Time synchronization is an essential component to Kerberos authentication, and by extension Active Directory authentication. The Windows Time Service (W32Time) is responsible for ensuring that all Windows 2000 or later computers share a common time. W32Time runs on UDP port 123.

Time synchronization occurs based on domain hierarchy, such that all desktop computers and member servers nominate their authenticating DC as their in-bound partner. All DCs in turn rely on the PDC operations master, which in turn follows the hierarchy of domains, with the PDC operations master at the root of the forest being authoritative for the organization. Either the system clock, or a specified external source (such as a GPS receiver, or an internet-based time source) can provide a highly accurate seed for the authoritative time source.

The Windows Time Service relies on the NTP protocol to arbitrate time synchronization between partners. NTP packets contain time stamps that include a time sample from both the client and the server involved in synchronization. NTP protocol algorithms then determine and elect the best time sample, and adjust the system clock.

The Windows Time Service relies on standard domain security features. When a computer requests the time from a DC, W32Time requires that the time be authenticated with the session key from the netlogon service. If the packet is not signed correctly, the time is rejected and the authentication failure logged to the event viewer.

In general, XP and 2003 clients automatically obtain accurate time from their authenticating DCs in the same domain.